{"id":1620,"date":"2020-09-27T07:54:31","date_gmt":"2020-09-27T14:54:31","guid":{"rendered":"https:\/\/www.ssls.com\/blog\/?p=1620"},"modified":"2023-09-27T14:22:12","modified_gmt":"2023-09-27T21:22:12","slug":"what-you-need-to-know-about-the-raccoon-attack-tls-vulnerability","status":"publish","type":"post","link":"https:\/\/www.ssls.com\/blog\/what-you-need-to-know-about-the-raccoon-attack-tls-vulnerability\/","title":{"rendered":"What you need to know about the Raccoon Attack TLS&nbsp;vulnerability"},"content":{"rendered":"\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.ssls.com\/blog\/wp-content\/uploads\/What-you-need-to-know-about-the-Raccoon-Attack-TLS-vulnerability.png\" alt=\"\" class=\"wp-image-1398\"\/><\/figure>\n\n\n\n<p>A team of researchers has recently discovered a vulnerability that can affect HTTPS and other services that utilize TLS or SSL. Known as the Raccoon Attack, this vulnerability specifically affects TLS 1.2 and earlier versions of the encryption protocol. Is it something the average website owner should worry about? (Spoiler: not really, but it\u2019s always good to be informed.) <br><\/p>\n\n\n\n<!--more-->\n\n\n\n<p>Read on to get the lowdown on what the Raccoon attack is and what precautions you should take to <a href=\"https:\/\/www.ssls.com\/blog\/how-to-fix-google-chrome-ssl-certificate-errors-in-a-few-simple-steps\/\">protect<\/a> yourself.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is the Raccoon Attack vulnerability?<\/h2>\n\n\n\n<p>The Raccoon Attack allows hackers, under very precise circumstances and timing measurements, to break an <a href=\"https:\/\/www.ssls.com\/blog\/whats-the-difference-between-tls-and-ssl-certificates\/\">encrypted connection<\/a> and read potentially sensitive messages by determining a shared session key. This may sound scary, but this vulnerability can only be exploited if the following conditions are met:\u00a0<br><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The server is configured for TLS 1.2 or below<\/li><li>The connection uses a cipher suite that utilizes a static Diffie-Hellman key exchange or the server reuses ephemeral Diffie-Hellman public keys during the TLS handshake<\/li><li>The attacker is able to observe individual connections to obtain the private key&nbsp;<\/li><li>The attacker is close enough to the target server to get the timing right&nbsp;&nbsp;<\/li><\/ul>\n\n\n\n<p>Fortunately, a scenario in which all these conditions are met would be exceptionally rare.&nbsp;<br><\/p>\n\n\n\n<p>Most websites that use HTTPS have adopted \u2014 or are in the process of adopting \u2014 the newest version of TLS, which is TLS 1.3. TLS 1.3 doesn\u2019t support static Diffie-Hellman key exchange or reuse of ephemeral keys. Even if your server is configured to an earlier version of TLS, reusing public keys is considered bad practice, and is pretty rare. The Raccoon researchers found that only 3.33% of the top 100,000 websites on the Internet reuse Diffie-Hellman keys. Combined with the timing issue, there would need to be a perfect storm of circumstances for an attacker to successfully pull this off.&nbsp;<br><\/p>\n\n\n\n<p>For a more in-depth, technical explanation of the vulnerability, check out the <a href=\"https:\/\/raccoon-attack.com\/\">Raccoon Attack website<\/a>.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What do I need to do about it?<\/h2>\n\n\n\n<p>This vulnerability isn\u2019t about the <a href=\"https:\/\/www.ssls.com\/blog\/how-to-fix-google-chrome-ssl-certificate-errors-in-a-few-simple-steps\/\">SSL certificate<\/a> itself, so you don\u2019t need to reissue or reinstall anything.\u00a0<br><\/p>\n\n\n\n<p>You can check if your site is vulnerable by <a href=\"https:\/\/www.ssllabs.com\/ssltest\/\">visiting this site<\/a> and performing a server test. In the results, look for the \u201cDH public server param (Ys) reuse&#8221; setting. If it says \u201cYes\u201d, your server may be vulnerable.&nbsp;<br><\/p>\n\n\n\n<p>If you haven\u2019t already, update your server, application, and software configurations to TLS 1.3 and disable older TLS protocols. Many vendors, such as <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-1596\">Microsoft<\/a> and Mozilla, have also released patches addressing the potential vulnerability.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Wrap Up<\/h2>\n\n\n\n<p>Although it\u2019s worrying that the Raccoon Attack vulnerability exists, it\u2019s unlikely to affect most people. If you\u2019re a website owner that has already adopted TLS 1.3, you have nothing to worry about. For general web users, modern browsers don\u2019t support cipher suites that use the previously mentioned key exchanges, so there\u2019s nothing to worry about on that end either.&nbsp; <br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A team of researchers has recently discovered a vulnerability that can affect HTTPS and other services that utilize TLS or SSL. Known as the Raccoon Attack, this vulnerability specifically affects TLS 1.2 and earlier versions of the encryption protocol. Is it something the average website owner should worry about? (Spoiler: not really, but it\u2019s always [&hellip;]<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1620","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/1620","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/comments?post=1620"}],"version-history":[{"count":3,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/1620\/revisions"}],"predecessor-version":[{"id":2695,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/1620\/revisions\/2695"}],"wp:attachment":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/media?parent=1620"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/categories?post=1620"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/tags?post=1620"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}